276 lines
9.5 KiB
SQL
276 lines
9.5 KiB
SQL
-- Unexpected programs communicating over HTTPS (state-based)
|
|
--
|
|
-- This query is a bit awkward and hobbled due to the lack of osquery support
|
|
-- for looking up binary signatures in Linux.
|
|
--
|
|
-- references:
|
|
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
|
--
|
|
-- tags: transient state net often
|
|
-- platform: linux
|
|
SELECT s.remote_address,
|
|
p.name,
|
|
p.cgroup_path,
|
|
p.path,
|
|
p.cmdline AS child_cmd,
|
|
p.cwd,
|
|
pp.path AS parent_path,
|
|
p.parent AS parent_pid,
|
|
pp.cmdline AS parent_cmd,
|
|
s.local_address,
|
|
s.local_port,
|
|
s.state,
|
|
hash.sha256,
|
|
-- This intentionally avoids file.path, as it won't join across mount namespaces
|
|
CONCAT (
|
|
MIN(p.euid, 500),
|
|
',',
|
|
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
|
|
',',
|
|
MIN(f.uid, 500),
|
|
'u,',
|
|
MIN(f.gid, 500),
|
|
'g,',
|
|
p.name
|
|
) AS exception_key
|
|
FROM process_open_sockets s
|
|
LEFT JOIN processes p ON s.pid = p.pid
|
|
LEFT JOIN processes pp ON p.parent = pp.pid
|
|
LEFT JOIN file f ON p.path = f.path
|
|
LEFT JOIN hash ON p.path = hash.path
|
|
WHERE protocol IN (6, 17)
|
|
AND s.remote_port = 443
|
|
AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
|
|
AND s.remote_address NOT LIKE 'fe80:%'
|
|
AND s.remote_address NOT LIKE '127.%'
|
|
AND s.remote_address NOT LIKE '192.168.%'
|
|
AND s.remote_address NOT LIKE '172.1%'
|
|
AND s.remote_address NOT LIKE '172.2%'
|
|
AND s.remote_address NOT LIKE '172.30.%'
|
|
AND s.remote_address NOT LIKE '172.31.%'
|
|
AND s.remote_address NOT LIKE '::ffff:172.%'
|
|
AND s.remote_address NOT LIKE '10.%'
|
|
AND s.remote_address NOT LIKE '::ffff:10.%'
|
|
AND s.remote_address NOT LIKE 'fc00:%'
|
|
AND p.path != ''
|
|
AND NOT exception_key IN (
|
|
'0,apk,u,g,apk',
|
|
'0,applydeltarpm,0u,0g,applydeltarpm',
|
|
'0,bash,0u,0g,bash',
|
|
'0,bash,0u,0g,mkinitcpio',
|
|
'0,bash,0u,0g,sh',
|
|
'0,chainctl,0u,0g,chainctl',
|
|
'0,cmake,u,g,cmake',
|
|
'0,containerd,u,g,containerd',
|
|
'0,dirmngr,0u,0g,dirmngr',
|
|
'0,dockerd,0u,0g,dockerd',
|
|
'0,flatpak-system-helper,0u,0g,flatpak-system-',
|
|
'0,git-remote-http,0u,0g,git-remote-http',
|
|
'0,kmod,0u,0g,depmod',
|
|
'0,launcher,0u,0g,launcher',
|
|
'0,launcher,500u,500g,launcher',
|
|
'0,ldconfig,0u,0g,ldconfig',
|
|
'0,nessusd,0u,0g,nessusd',
|
|
'0,nix,0u,0g,nix',
|
|
'0,nix,0u,0g,nix-daemon',
|
|
'0,packagekitd,0u,0g,packagekitd',
|
|
'0,pacman,0u,0g,pacman',
|
|
'0,python3.10,0u,0g,dnf',
|
|
'0,python3.10,0u,0g,dnf-automatic',
|
|
'0,python3.10,0u,0g,yum',
|
|
'0,python3.11,0u,0g,dnf',
|
|
'0,python3.11,0u,0g,dnf-automatic',
|
|
'0,python3.11,0u,0g,yum',
|
|
'0,rpi-imager,0u,0g,rpi-imager',
|
|
'0,snapd,0u,0g,snapd',
|
|
'0,tailscaled,0u,0g,tailscaled',
|
|
'0,tailscaled,500u,500g,tailscaled',
|
|
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
|
|
'105,http,0u,0g,https',
|
|
'106,geoclue,0u,0g,geoclue',
|
|
'500,1password,0u,0g,1password',
|
|
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
|
|
'500,act,0u,0g,act',
|
|
'500,apk,500u,500g,apk',
|
|
'500,apko,500u,500g,apko',
|
|
'500,apko,u,g,apko',
|
|
'500,apk,u,g,apk',
|
|
'500,aws,0u,0g,aws',
|
|
'500,aws,500u,500g,aws',
|
|
'500,bom,500u,500g,bom',
|
|
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
|
|
'500,Brackets,0u,0g,Brackets',
|
|
'500,brave,0u,0g,brave',
|
|
'500,buildkitd,500u,500g,buildkitd',
|
|
'500,cargo,0u,0g,cargo',
|
|
'500,cargo,500u,500g,cargo',
|
|
'500,chainctl,0u,0g,chainctl',
|
|
'500,chainctl,500u,100g,chainctl',
|
|
'500,chainctl,500u,493g,chainctl',
|
|
'500,chainctl,500u,500g,chainctl',
|
|
'500,chrome,0u,0g,chrome',
|
|
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
|
|
'500,code,0u,0g,code',
|
|
'500,code,500u,500g,code',
|
|
'500,containerd,u,g,containerd',
|
|
'500,cosign,500u,500g,cosign',
|
|
'500,cosign-linux-amd64,0u,0g,cosign',
|
|
'500,crane,0u,0g,crane',
|
|
'500,crane,500u,500g,crane',
|
|
'500,curl,0u,0g,curl',
|
|
'500,Discord,0u,0g,Discord',
|
|
'500,Discord,u,g,Discord',
|
|
'500,docker,0u,0g,docker',
|
|
'500,eksctl,0u,0g,eksctl',
|
|
'500,eksctl,500u,500g,eksctl',
|
|
'500,electron,0u,0g,electron',
|
|
'500,evolution-addressbook-factory,0u,0g,evolution-addre',
|
|
'500,evolution-calendar-factory,0u,0g,evolution-calen',
|
|
'500,firefox,0u,0g,firefox',
|
|
'500,firefox,0u,0g,.firefox-wrappe',
|
|
'500,firefox,0u,0g,Socket Process',
|
|
'500,flameshot,0u,0g,flameshot',
|
|
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
|
|
'500,flux,500u,500g,flux',
|
|
'500,geoclue,0u,0g,geoclue',
|
|
'500,gh,0u,0g,gh',
|
|
'500,git,0u,0g,git',
|
|
'500,git-remote-http,0u,0g,git-remote-http',
|
|
'500,gitsign,0u,0g,gitsign',
|
|
'500,gitsign,500u,0g,gitsign',
|
|
'500,gitsign,500u,500g,gitsign',
|
|
'500,gitsign-credential-cache,500u,500g,gitsign-credent',
|
|
'500,gjs-console,0u,0g,org.gnome.Maps',
|
|
'500,gnome-recipes,0u,0g,gnome-recipes',
|
|
'500,gnome-shell,0u,0g,gnome-shell',
|
|
'500,gnome-software,0u,0g,gnome-software',
|
|
'500,go,0u,0g,go',
|
|
'500,go,500u,500g,go',
|
|
'500,goa-daemon,0u,0g,goa-daemon',
|
|
'500,go,u,g,go',
|
|
'500,grafana,u,g,grafana',
|
|
'500,grype,0u,0g,grype',
|
|
'500,grype,500u,500g,grype',
|
|
'500,gsd-datetime,0u,0g,gsd-datetime',
|
|
'500,gvfsd-google,0u,0g,gvfsd-google',
|
|
'500,gvfsd-http,0u,0g,gvfsd-http',
|
|
'500,helm,0u,0g,helm',
|
|
'500,htop,0u,0g,htop',
|
|
'500,hugo,500u,500g,hugo',
|
|
'500,io.elementary.appcenter,0u,0g,io.elementary.a',
|
|
'500,istioctl,500u,500g,istioctl',
|
|
'500,java,0u,0g,java',
|
|
'500,java,500u,500g,java',
|
|
'500,java,u,g,java',
|
|
'500,jcef_helper,500u,500g,jcef_helper',
|
|
'500,jetbrains-toolbox,u,g,jetbrains-toolb',
|
|
'500,kbfsfuse,0u,0g,kbfsfuse',
|
|
'500,keybase,0u,0g,keybase',
|
|
'500,Keybase,0u,0g,Keybase',
|
|
'500,ko,500u,500g,ko',
|
|
'500,ko,u,g,ko',
|
|
'500,kpromo,500u,500g,kpromo',
|
|
'500,krel,500u,500g,krel',
|
|
'500,kubectl,0u,0g,kubectl',
|
|
'500,kubectl,500u,500g,kubectl',
|
|
'500,lens,0u,0g,lens',
|
|
'500,limactl,0u,0g,limactl',
|
|
'500,mconvert,500u,500g,mconvert',
|
|
'500,melange,500u,500g,melange',
|
|
'500,melange,u,g,melange',
|
|
'500,Melvor Idle,500u,500g,exe',
|
|
'500,minikube,0u,0g,minikube',
|
|
'500,nautilus,0u,0g,nautilus',
|
|
'500,nerdctl,500u,500g,nerdctl',
|
|
'500,nix,0u,0g,nix',
|
|
'500,node,0u,0g,node',
|
|
'500,node,0u,0g,.node2nix-wrapp',
|
|
'500,node,u,g,node',
|
|
'500,obs,0u,0g,obs',
|
|
'500,obs-browser-page,0u,0g,obs-browser-pag',
|
|
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
|
|
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
|
|
'500,obsidian,u,g,obsidian',
|
|
'500,obs,u,g,obs',
|
|
'500,pacman,0u,0g,pacman',
|
|
'500,php8.1,0u,0g,php',
|
|
'500,pingsender,0u,0g,pingsender',
|
|
'500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
|
|
'500,promoter,500u,500g,promoter',
|
|
'500,publish-release,500u,500g,publish-release',
|
|
'500,python3,0u,0g,python3',
|
|
'500,python3.10,0u,0g,aws',
|
|
'500,python3.10,0u,0g,python',
|
|
'500,python3.10,0u,0g,python3',
|
|
'500,python3.11,0u,0g,gnome-abrt',
|
|
'500,python3.11,0u,0g,protonvpn',
|
|
'500,python3.11,0u,0g,prowler',
|
|
'500,python3,500u,500g,python3',
|
|
'500,python.test,500u,500g,python.test',
|
|
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
|
|
'500,reporter-ureport,0u,0g,reporter-urepor',
|
|
'500,rpi-imager,0u,0g,rpi-imager',
|
|
'500,rustup,0u,0g,rustup',
|
|
'500,scoville,500u,500g,scoville',
|
|
'500,signal-desktop,0u,0g,signal-desktop',
|
|
'500,signal-desktop,u,g,signal-desktop',
|
|
'500,slack,0u,0g,slack',
|
|
'500,slack,u,g,slack',
|
|
'500,k6,500u,500g,k6',
|
|
'500,slirp4netns,0u,0g,slirp4netns',
|
|
'500,slirp4netns,500u,500g,slirp4netns',
|
|
'500,snap-store,0u,0g,snap-store',
|
|
'500,spotify,0u,0g,spotify',
|
|
'500,spotify,500u,500g,spotify',
|
|
'500,stern,500u,500g,stern',
|
|
'500,spotify,u,g,spotify',
|
|
'500,steam,500u,100g,steam',
|
|
'500,steam,500u,500g,steam',
|
|
'500,steamwebhelper,500u,100g,steamwebhelper',
|
|
'500,steamwebhelper,500u,500g,steamwebhelper',
|
|
'500,step,500u,500g,step',
|
|
'500,step-cli,0u,0g,step',
|
|
'500,syncthing,0u,0g,syncthing',
|
|
'500,teams,0u,0g,teams',
|
|
'500,terraform,0u,0g,terraform',
|
|
'500,terraform,500u,500g,terraform',
|
|
'500,thunderbird,0u,0g,thunderbird',
|
|
'500,thunderbird,u,g,thunderbird',
|
|
'500,tilt,500u,500g,tilt',
|
|
'500,todoist,0u,0g,todoist',
|
|
'500,trivy,0u,0g,trivy',
|
|
'500,trivy,500u,500g,trivy',
|
|
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
|
|
'500,wget,0u,0g,wget',
|
|
'500,wolfictl,500u,500g,wolfictl',
|
|
'500,WPILibInstaller,500u,500g,WPILibInstaller',
|
|
'500,xmobar,0u,0g,xmobar',
|
|
'500,yay,0u,0g,yay',
|
|
'500,zdup,500u,500g,zdup',
|
|
'500,zoom,0u,0g,zoom',
|
|
'500,zoom.real,u,g,zoom.real',
|
|
'80,6,500,python3.11,0u,0g,yum',
|
|
'88,6,500,syncthing,0u,0g,syncthing'
|
|
) -- Exceptions where we have to be more flexible for the process name
|
|
AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
|
|
AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
|
|
AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
|
|
AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror)
|
|
AND NOT (
|
|
pp.cmdline = '/run/current-system/sw/bin/bash'
|
|
AND p.path LIKE '/nix/store/%'
|
|
AND s.remote_address LIKE '151.101.%'
|
|
AND s.state = 'ESTABLISHED'
|
|
)
|
|
AND NOT (
|
|
exception_key LIKE '500,%,500u,500g,%'
|
|
AND p.path LIKE '/tmp/go-build%/exe/%'
|
|
)
|
|
AND NOT (
|
|
exception_key = '0,curl,0u,0g,curl'
|
|
AND p.cmdline = 'curl --fail https://ipinfo.io/timezone'
|
|
) -- Exclude processes running inside of containers
|
|
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
|
|
AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' -- Tests
|
|
AND NOT p.path LIKE '/tmp/go-build%.test'
|
|
GROUP BY p.cmdline |